You Can Pass This Exam For Free
Choose Your Study Path
You hold CISA/CIA/CPA and have strong audit fundamentals, but limited exposure to AI/ML concepts. You need to build AI technical knowledge before learning how to audit it.
Exam Overview
Format
90 scenario-based multiple-choice questions, 150 minutes (2.5 hours). Computer-based testing at PSI testing centers or remote proctoring.
Scoring
Scaled score 200-800. Passing: 450. No penalty for wrong answers — always answer every question even if unsure.
Domains & Weights
- AI Governance and Risk33%
- AI Operations46%
- AI Auditing Tools and Techniques21%
Registration
$599 USD. Available at PSI testing centers or via remote proctoring (remote not available in India, Mainland China, or Hong Kong). Exam fee is $599 USD (non-member) or $459 USD (ISACA member). Candidates have a 6-month eligibility window after registration. Qualifying prerequisites: CISA (all holders), or CIA, US CPA, Canadian CPA, Australian CPA/FCPA, Japanese CPA, ACCA, FCCA, ICAEW ACA/FCA, CA ANZ, or Hong Kong CPA/FCPA (with IT audit or advisory role focus).
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
AI Governance and Risk
This domain tests your ability to advise stakeholders on AI governance structures, ethical AI policies, risk assessment methodologies, data governance programs, and regulatory compliance. You must understand how AI governance maps to organizational strategy and how to evaluate whether governance controls are adequate and operating effectively.
Key Topics
Must-Know Concepts
- AI governance structures: AI centers of excellence, AI ethics boards, RACI definitions for model owners, data scientists, risk management, and audit functions
- AI risk assessment methodologies: identify AI-specific risks (bias, drift, hallucination, adversarial attacks, data quality), assess likelihood and impact, and map to controls
- Ethical and responsible AI principles: fairness, accountability, transparency, explainability, privacy, safety, and inclusiveness — know how to audit compliance with each
- Data governance specific to AI: data lineage, data provenance, data quality metrics, data retention policies, consent management, and de-identification techniques
- Privacy considerations: data minimization, purpose limitation, consent management, cross-border data transfer restrictions, and privacy impact assessments for AI systems
- Regulatory frameworks: NIST AI RMF four functions (Govern, Map, Measure, Manage), ISO/IEC 42001 certification requirements, EU AI Act risk tiers and conformity assessments
- AI policy components: acceptable use policies, sanctioned vs unsanctioned AI tools, model approval workflows, data classification requirements, and third-party AI usage policies
- Workforce impact assessment: evaluating how AI implementation affects job roles, required skills, and organizational change readiness
- Third-party and vendor governance: right-to-audit clauses, vendor AI risk assessments, SLA requirements, and due diligence for AI service providers
Common Exam Traps
AI Operations
The largest domain at 46% — expect roughly 41 questions on operational AI topics. Covers the entire AI solution lifecycle, data management, MLOps, testing techniques, drift and bias monitoring, AI-specific threats and vulnerabilities, change management, and incident response. This is where traditional IT auditors lose the most points, as it requires understanding AI-specific technical operations that differ significantly from conventional IT systems.
Key Topics
Must-Know Concepts
- AI/ML lifecycle stages from an audit perspective: business case, data collection, data preparation, feature engineering, model development, training, validation, deployment, monitoring, maintenance, and decommissioning — know audit control points at each stage
- Data management for AI: data ingestion pipelines, feature engineering and feature stores, train/test/validation splits, cross-validation techniques, and data quality assurance
- Model development methodologies: supervised, unsupervised, and reinforcement learning approaches, model selection criteria, hyperparameter tuning, and reproducibility requirements
- Testing techniques: unit testing for AI components, integration testing, fairness testing (demographic parity, equal opportunity, disparate impact analysis), adversarial testing, and performance benchmarking
- Deployment and monitoring: model serving infrastructure, A/B testing, canary deployments, performance monitoring dashboards, drift detection (data drift, concept drift, model drift), and bias rechecking schedules
- AI-specific threats: data poisoning, prompt injection, model inversion, model theft/extraction, adversarial examples, supply chain attacks on pre-trained models, and hallucination risks
- Change management for AI: model versioning, approval workflows for model updates, impact assessment for retraining, rollback procedures, and documentation requirements for model changes
- Incident response for AI: escalation procedures for model failures, automated rollback triggers, root cause analysis for AI-specific incidents (drift, bias emergence, adversarial compromise), and communication protocols
- Vendor and API dependency management: third-party model risks, SLA monitoring, API versioning risks, and vendor lock-in assessment
- Supervision of AI outputs: human-in-the-loop requirements, confidence score thresholds, output validation procedures, and escalation criteria for low-confidence decisions
Common Exam Traps
AI Auditing Tools and Techniques
This domain covers the practical methodology of conducting AI audits, including scoping, planning, testing approaches, evidence collection, data analytics, and reporting. It also covers how AI tools can be used within the audit process itself to improve efficiency while maintaining independence and objectivity.
Key Topics
Must-Know Concepts
- AI audit planning and design: defining audit objectives, identifying AI system boundaries, selecting appropriate control frameworks, stakeholder identification, and risk-based scope determination
- Control testing methodologies for AI: walkthroughs, configuration reviews, code reviews, output sampling, reperformance of model predictions, and fairness/bias testing
- Evidence collection standards: sufficiency (enough evidence), reliability (trustworthy sources), relevance (related to control objectives), and reproducibility (can be independently verified)
- AI-specific audit evidence: model training logs, version control histories, performance metric dashboards, drift detection alerts, fairness test results, data lineage documentation, and approval records
- Audit sampling for AI: risk-based sampling vs random sampling, full-population testing enabled by AI analytics, stratified sampling across model outputs, and sample size determination
- Data analytics in AI audits: using AI tools for anomaly detection, pattern recognition, natural language processing for document review, and automated compliance checking
- Independence and objectivity when using AI tools in audits: avoiding over-reliance on AI-generated audit findings, maintaining professional skepticism, and documenting AI tool limitations
- AI audit reporting: communicating findings to technical and non-technical stakeholders, risk rating AI-specific findings, recommending remediation for AI control deficiencies, and follow-up procedures
- Documentation standards: workpaper requirements for AI audits, evidence preservation, audit trail completeness, and quality assurance review
Common Exam Traps
Concepts You Must Not Confuse on the AAIA Exam
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.